Experiment 1: Monitoring Network Traffic

Description: Wireshark will help you capture network packets and display them at a
granular level. Once these packets are broken down, you can use them for real-time or offline
analysis. This tool lets you put your network traffic under a microscope, and then filter and drill
down into it, zooming in on the root cause of problems, assisting with network analysis and
ultimately network security. Wireshark will enable to capture, interpret, filter and inspect data
packets to effectively troubleshoot

Monitoring network traffic is a crucial aspect of maintaining network security and identifying potential
threats and anomalies.

Below are step-by-step instructions on how to monitor network traffic using a network monitoring tool
like Wireshark.

Procedure:
1. Install Wireshark:
- Download and install Wireshark, a widely used network traffic analysis tool, from its official
website.
- Follow the installation wizard and select the necessary components for your operating
system.

2. Select the Network Interface:

- Launch Wireshark and choose the network interface you want to monitor from the list of
available interfaces.
- Ensure you have the necessary permissions to capture network traffic on the selected
interface.

3. Start Capturing Traffic:

- Click the "Start" button in Wireshark to begin capturing network traffic on the selected
interface.
- Wireshark will start capturing packets in real-time, displaying them in the main window.

4. Filter Network Traffic:

- Use filters to narrow down the captured traffic and focus on specific protocols or
sources/destinations.
- Apply filters by typing expressions in the filter bar (e.g., "ip.addr==192.168.1.1" to show
traffic to/from a specific IP address).
5. Save Captured Traffic:
- Save the captured network traffic to a file for later analysis or for sharing with other team
members or security experts.
- Go to "File" > "Save As" and choose a destination and file format (e.g., PCAP or PCAPNG).

6. Stop Capturing Traffic:

- Click the "Stop" button in Wireshark to halt the packet capture process.
- After stopping, you can continue analyzing the captured packets.

Output:
Experiment 2: Host & Services Discovery using Nmap

Description: Nmap is an open-source utility for network discovery. Network Mapper is a security auditing
and network scanning independent tool developed by Gordon Lyon. It is used by network administrators to
detect the devices currently running on the system and the port number by which the devices are
connected.Many systems and network administrators are used for managing network inventory, service upgrade
schedules, monitoring hosts and service uptime.At the top-level, Nmap is defined as a tool that can detect or
diagnose services that are running on an Internet-connected system by a network administrator in their
networked system used to identify potential security flaws. It is used to automate redundant tasks, such as
monitoring the service.

Procedure:All the below commands can be used in nmap command prompt

1.nmap –v www.svit.ac.in

Description:To know ip address,services,open ports and mac addresses of the server.

2.nmap 172.67.203.111

Desciption;To know information using ip address.

3.sudo nmap -Sa 172.67.203.111

Description:To know if firewall is there or not.

4.nmap –p 80 172.67.203.111

Description:To scan with ports.

5.nmap –p 1-65535 172.67.203.111

Description:To scan many ports.

6.nmap –sV 172.67.203.111 -A

Description:To scan to know services.

7.nmap -sS 192.168.232.2 -O

Description:To Detect os.

8.nmap –sn 172.67.203.11/24

Description:To scan with ports.

9.nmap –sL 172.67.203.111

Description:To scan with host discovery

Output:
Experiment 3: Vulnerability Scanning using OpenVAS
Description: (OpenVAS) is free software that provides various services and tools for vulnerability
assessment. Vulnerability refers to a weakness or flaw in a system. If a system is vulnerable, it can face
threats to the user identity and data. It is always advisable to assess the vulnerability of the system.
Vulnerability assessment is a process that can identify, enumerate, and rank the vulnerabilities present in a
system or network in order to patch them. Basically, it is concerned with the security of the system resources.

Procedure:
1. Access OpenVAS Web Interface(https://app.greenbone.cloud/):

- Open a web browser and access the OpenVAS web interface using the specified URL .

2. Login to OpenVAS:

- Login to the web interface using the default credentials or create a cloud account by using your official
college account like I created free account with shravan@svit.ac.in.

3. Create a Target:

- Define a target for vulnerability scanning by specifying the IP range or individual host to be scanned like
you cangive ip address of the target.May be ip address of our college by finding through traceroute or ping
command.

4. Schedulde the Scan:

- Initiate the vulnerability scan by clicking scan configuration.

5. Review Scan Results:

- Once the scan completes as per the scheduled time, review the scan results, which will highlight
vulnerabilities.

6. Prioritize and Remediate:

- Prioritize vulnerabilities based on severity and potential impact, and plan the remediation process
accordingly.

7. ViewReports:

All the targets scanned as per the scheduled will be scanned.

Output:
Experiment 4(a,b): Mapping and Scanning using Nmap

Description: Nmap is an open-source utility for network discovery. Network Mapper is a security auditing
and network scanning independent tool developed by Gordon Lyon. Network scanning is the method used to

scan a network, primarily for security assessment and maintaining the system. Hackers use it for carrying out

attacks. Ethical hackers and technical teams use network scanning to check whether the devices in work are

working as expected and whether there are no vulnerabilities and loopholes. By finding the issues, they can then

troubleshoot them. Mapping the Application.we have to know more about the application you are targeting. The

mantra to find bugs is Enumeration…. The more you know how an application works the easier things get that is
called mapping.

Procedure:
1.sudo nmap -Sa 172.67.203.111

Description:To know if firewall is there or not.

2.nmap –p 80 172.67.203.111

Description:To scan with ports.

3.nmap –p 1-65535 172.67.203.111

Description:To scan many ports.

4.nmap –sV 172.67.203.111 -A

Description:To scan to know services.

5.nmap -sS 192.168.232.2 -O

Description:To Detect os.

6.nmap –sn 172.67.203.11/24

Description:To scan with ports.

Output:
Experiment 4(c): Gaining access through CVE’s
Description:
CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws.
When someone refers to a CVE, they mean a security flaw that's been assigned a CVE ID number.Security
advisories issued by vendors and researchers almost always mention at least one CVE ID. CVEs help IT
professionals coordinate their efforts to prioritize and address these vulnerabilities to make computer systems
more secure. vulnerabilities and Exposures (CVE) is a database of publicly disclosed information security
issues. A CVE number uniquely identifies one vulnerability from the list. CVE provides a convenient, reliable
way for vendors, enterprises, academics, and all other interested parties to exchange information about cyber
security issues. Enterprises typically use CVE, and corresponding CVSS scores, for planning and prioritization
in their vulnerability management programs.

Procedure:

1. Download waap analyizer for knowing the techstack of any company.It is a chrome extension.

2. Click on website (www.cybersapiens.com.au) and then click on waap analyzer to know what all technology
is used,identify if wordpressis used and the version.:

3. go to wp-admin subdomain of that website and you can see admin username and password is open.so a
information leakage cve is there in wordpress version used

Output:
Experiment 4(d): ARP POISIONING
Description:
ARP is the acronym for Address Resolution Protocol. It is used to convert IP address to physical addresses
[MAC address] on a switch. The host sends an ARP broadcast on the network, and the recipient computer
responds with its physical address [MAC Address]. The resolved IP/MAC address is then used to
communicate. ARP poisoning is sending fake MAC addresses to the switch so that it can associate the fake
MAC addresses with the IP address of a genuine computer on a network and hijack the traffic

Procedure:

1.Open the command prompt and enter the following command

arp –a.

2. Enter the following command For inputting your ip address and physical macadress of your machine,

arp –s 192.168.1.38 60-36-DD-A6-C5-43

3. Use the following command to view the ARP cache

arp –a

4. use the following command to remove an entry

arp –d 192.168.1.38

Now the ARP poisoning works by sending fake MAC addresses to the switch .
Experiment 4(e): DNS Poisioning
Description: Domain Name System (DNS) poisoning happens when fake information is entered into
the cache of a domain name server, resulting in DNS queries producing an incorrect reply, sending users to the
wrong website. DNS poisoning also goes by the terms “DNS spoofing” and “DNS cache poisoning.”DNS
servers take the words you type in when looking up a website, such as “svit.ac.in.com,” and use them to find the
Internet Protocol (IP) address associated with it. These addresses are stored in the DNS cache. If the wrong IP
address is put in the cache, the user gets directed somewhere other than where they want to go.

Procedure:

DNS Poisoning –

1. Prepare the Attack Environment:

- Set up an attacker machine on the local network, or if attempting remote DNS poisoning, ensure network
connectivity to the target DNS server.

2. Identify the Target DNS Server:

- Identify the IP address of the target DNS server that the victim relies on for domain name resolution.

3. Understand the DNS Cache:

- Learn about the caching mechanism of the target DNS server, including the TTL (Time to Live) values for
DNS records.

4. Select the Domain to Spoof:

- Choose a domain that you want to spoof and for which you want to redirect the DNS responses.

5. Resolve the Spoofed Domain:

- On the attacker machine, set up a web server or an IP address that will serve as the fake destination for the
spoofed domain.

6. Generate Fake DNS Responses:

- Use DNS spoofing tools like `dnsspoof` or `Ettercap` to generate forged DNS responses with the spoofed
domain and corresponding IP address.

7. Launch the DNS Poisoning Attack:

- Execute the DNS poisoning attack by sending the forged DNS responses to the target DNS server.

- The DNS server's cache will be updated with the malicious DNS records.

8. Monitor DNS Requests and Responses:

 - As the victim sends DNS requests, the attacker will intercept and respond with the forged DNS responses.

- The victim's DNS cache will be poisoned with the malicious DNS records.

9. Redirect Victim's Traffic:

- When the victim tries to access the spoofed domain, they will be redirected to the attacker-controlled
destination.

10. Cleanup and Mitigation:

- After the attack, restore the DNS server's cache and take measures to prevent future DNS poisoning attacks,
such as implementing DNSSEC (DNS Security Extensions) and using DNS filtering and monitoring solutions.
Experiment 5(a): . Evaluating external Infrastructure using Nmap

Description: External penetration testing (also known as external network penetration testing) is a security
assessment of an organization's perimeter systems. Your perimeter comprises all those systems which are
directly reachable from the internet. By nature, they are the most exposed systems as they are out in the open
and are therefore the most easily and regularly attacked.
The aim of an external pentest is to find ways to compromise your accessible (external) systems and services,
gain access to sensitive information, and discover methods an attacker could use to attack your clients or users.
Here in this exercise,we are assuming (www.svit.ac.in) as external site ,as the server is located elsewhere and
for privacy AND security reasons ,it is safe to use this site.
Procedure:
1.Basic scan to scan ip address or host:

nmap svit.ac.in

2.To scan most used ports.

nmap --top-ports 20 192.168.1.106

3. Scan hosts and IP addresses reading from a text file

create a list.txt file that contains these lines inside:

192.168.1.106

www.svit.ac.in

The “-iL” parameter lets you read from that file, and scan all those hosts for you:

nmap -iL list.txt

4. Scan + OS and service detection with fast execution and tcp,udp scan

Using the “-A” parameter enables you to perform OS and service detection, and at the same time we are
combining this with “-T4” for faster execution. See the example below:

nmap -A -T4 svit.ac.in.

nmap –sT svit.ac.in

nmap –sU svit.ac.in

5. Scan the most popular ports

Using “–top-ports” parameter along with a specific number lets you scan the top X most common ports for that
host, as we can see:

nmap --top-ports 20 192.168.1.106

Output:
Experiment 5(b): . Creating topological map & identifying IP address of target
Description: Network topology, typically represented by a topology map, describes the physical or logical
configuration of nodes and links of a communications network. Nodes are the points of connections for links
which are the physical transmission media used to connect network devices. Network topology is the
arrangement of the elements (links, nodes, etc.) of a communication network.network topology can be used to
define or describe the arrangement of various types of telecommunication networks, including command and
control radio networks,.

Network topology is structure of a network and may be depicted physically or logically. It is an application
of graph theory wherein communicating devices are modeled as nodes and the connections between the devices
are modeled as links or lines between the nodes. Physical topology is the placement of the various components
of a network (e.g., device location and cable installation), while logical topology illustrates how data flows
within a network. Distances between nodes, physical interconnections, transmission rates, or signal types may
differ between two different networks, yet their logical topologies may be identical.

Procedure:
1.Download and install nmap.(plz make sure you checkall the options while installing)

2.Go to start and click zenmap application in the list displayed.

3.Key in the Target as svit.ac.in.in the given GUI screen displayed.

4.Make a note of the topological map created by clicking on topology tab.

5. save it by clicking the graphic tab and name the file as per your preference.
.
Output:
Experiment 5(c): Lookup domain registry for IP information
Description: A domain name registry is a database of all domain names and the associated registrant
information in the top level domains of the Domain Name System (DNS) of the Internet that enables third party
entities to request administrative control of a domain name. Most registries operate on the top-level and second-
level of the DNS. A domain name is not the type of thing that you can buy off the shelf. The process here
follows a systematic protocol, which is coordinated by a top-level nonprofit authority called ICANN (Internet
Corporation for Assigned Names).Simply put, ICANN oversees domain registration. Domain names only
become valid after they’re entered into its central registry (domain registry).The role of the domain registry is
to manage and maintain domain names. This leaves the task of selling domain names to domain
registrars.Now, to become a domain name registrar, you need accreditation from ICANN. And with that, you
get to sell domain names to the public either directly or through re-sellers.

Procedure:

1.Start the browser.

2.Type whois.domaintools.com.

3.In the textbox,type the target host name as svit.ac.in.

4.Hit Submit details and note down the details corresponding to the fields.
Output:
Experiment 5(D): Examining use of IPV6 at remote location
Description: An IPv6 address is a 128-bit alphanumeric value that identifies an endpoint device in an
Internet Protocol Version 6 (IPv6) network. IPv6 is the successor to a previous addressing infrastructure, IPv4,
which had limitations IPv6 was designed to overcome. Notably, IPv6 has drastically increased address
space compared to IPv4.

In precise terms, an IPv6 address is 128 bits long and is arranged in eight groups, each of which is 16 bits. Each
group is expressed as four hexadecimal digits and the groups are separated by colons.

An example of a full IPv6 address could be:

FE80:CD00:0000:0CDE:1257:0000:211E:729C

Procedure:

1.Open the command prompt by typing cmd in search bar of your computer.

2.Type nslookup followed bythe target website for which you want to know the details,

3.Note down the details that are displayed ,youcansee the 128 bit address which is ipv6 format and also the
normal ipadress that is 32 bit.

Output:
Experiment 6: Types of vulnerability scanning
1. Broken access control occurs when an issue with the access control enforcement allows a user to perform an
action outside of the user's limits. For example, an attacker may be able to exploit a flaw in an application with
the intention of gaining elevated access to data to which they are not entitled and can perform unauthorized
actions.

2. A cryptographic failure flaw can occur when you store or transmit data in clear text or try to protect data with
old or weak encryption. For example, consider a site that doesn't enforce TLS for all pages. An attacker steals
the user's session cookie and then replays this cookie and hijacks the user's (authenticated) session, accessing or
modifying the user's private data.

3. Injection attacks are a type of security vulnerability that arises when an application takes user input and uses
that input in an unsafe way. Injection attacks are one of the most dangerous attacks where an attacker simply
sends malicious data to make the application process it and do something it is not supposed to do.

4. Insecure design expressed as “missing or ineffective control design. ” If a system or product design is not
secure, it can be considered an insecure design. For instance, a malicious actor could reserve 600 movie tickets
for a specific timeframe, preventing genuine buyers from reserving any. This situation could have been
prevented if the system design had limited reservations to just 15 tickets.

5. Misconfiguration vulnerabilities are configuration weaknesses that may exist in software components or may
have unneeded services enabled, such as remote administration functionality. For example, web server software
may ship with default user accounts that an attacker can use to access the system, or the software may contain
sample files, such as configuration files and scripts that an attacker can exploit.

6. The term “vulnerable” or “outdated” components is used to describe software susceptible to being breached,
hacked, or otherwise compromised. An attacker may exploit component vulnerabilities and then gain access to
unauthorized information, modify data, or cause a denial of service (DoS). Components can include OS,
Database, API and Server etc.

7. Identification and authentication failures can occur when functions related to a user's identity, authentication,
or session management are not implemented correctly. Attackers may be able to exploit identification and
authentication failures by compromising passwords, keys, session tokens, or exploit other implementation flaws
to assume other users' identities

8. Software and data integrity failures relate to code and infrastructure that does not protect against integrity
violations or use software from untrusted sources. An insecure CI/CD pipeline can introduce the potential for
unauthorized access, malicious code, or system compromise

9. Failure to sufficiently log, monitor, or report security events, makes suspicious behavior difficult to detect
and greatly increases the chances of an attacker successfully taking advantage of your application. A children's
health plan provider's website operator couldn't detect a breach due to a lack of monitoring and logging. The
attacker had accessed and modified thousands of sensitive health records

10. Server Side Request Forgery (SSRF) attacks are used to target internal systems that are behind firewalls and
are not accessible from the external network. In a normal SSRF attack the attacker might cause the server to
make a connection to internal services by exploiting internally running services like SSH, localhost, FTP etc
and steals the data.